firebase.auth.Auth.onIdTokenChanged should return accessToken
Closed this issue · 7 comments
For applications requiring the accessToken from a provider to make further API requests to said provider (for example, making requests to various Google APIs), they can fetch the initial access token via getRedirectResult() or signInWithPopup(), since these both pass firebase.auth.UserCredential.
However, when an access token is periodically refreshed, there's no means to get a corresponding firebase.auth.UserCredential.
It seems as though since onIdTokenChanged is triggered for token refreshes where as onAuthStateChanged is not, that onIdTokenChanged should pass a firebase.auth.UserCredential instead of firebase.User.
Is there any other means to listen for changes to the accessToken upon refresh?
The underlying Firebase Auth SDK does not manage OAuth credentials. After the sign-in operation, they discard your OAuth credentials, including the OAuth refresh tokens. The primary goal of Firebase Auth is AuthN and not AuthZ. onIdTokenChanged listener is used to detect Firebase Auth ID token changes and has nothing to do with the underlying authentication provider.
If you think Firebase Auth should manage OAuth tokens, please file a feature request via Firebase Support channels and explain why you think this is a critical functionality that Firebase Auth should support.
If getting a Google OAuth token is a requirement for your application, you should consider using the Google Sign in library for web which manages OAuth token refresh . Using that, you can sign in with Firebase Auth too but this is not compatible with FirebaseUI.
Thanks @bojeil-google! Makes sense when you consider that design decision. I do think that it this feature request should be considered for firebase auth since I doubt that I'm the only one who wants to use a Google API with the access token granted.
That said, even if this doesn't land in firebase anytime soon, I think what would be immensely helpful is a full example of how to use GAPI to auth and pass those credentials to firebase. I plan to write up an example on this soon and will post it to this thread for others to have a look at.
Sounds good, @msukmanowsky.
Hi @bojeil-google, I added a full example here https://github.com/msukmanowsky/gapi-firebase that uses gapi to sign in/authorize a user and uses the returned credentials to sign in with Firebase.
Could you have a look and let me know if I've missed any edge cases you know of?
I took a quick look. I think it looks fine but one downside is that this will sign in with Firebase every time the page is reloaded as the GAPI sign in callback will trigger on every page.
Ah, that's true. Should it just check for currentUser in that case. Or should this flow be explicitly reserved for sign in and on other pages, you'd try to use onAuthStateChanged?
Also, I'm getting an odd error when trying to use the redirect method for gapi, any ideas there? Only popup seems to work. https://stackoverflow.com/questions/48490829/google-api-invalid-request-permission-denied-to-generate-login-hint-for-target
You could just add the logic when needed. Basically if not user is signed in and a user needs to sign in. There are multiple ways you can do this as you described.
If you are having issues with gapi, file a report via the appropriate channels. I am not familiar with this issue.